diff options
| author | Julius Härtl <jus@bitgrid.net> | 2021-08-04 15:52:10 +0200 |
|---|---|---|
| committer | Julius Härtl <jus@bitgrid.net> | 2022-12-21 21:17:16 +0100 |
| commit | 6abb37317f9a5e0dd4744b0c4a221ee04ffc700f (patch) | |
| tree | 0678cb82fa36fb639fd5d905b4b7843296a2c3d0 /lib/base.php | |
| parent | c1a99ca58ffdcf37c7f9aaffdb336de45de98231 (diff) | |
| download | nextcloud-server-6abb37317f9a5e0dd4744b0c4a221ee04ffc700f.tar.gz nextcloud-server-6abb37317f9a5e0dd4744b0c4a221ee04ffc700f.zip | |
Do not setup a session when not required on WebDAV requests
If basic auth is used on WebDAV endpoints, we will not setup a session
by default but instead set a test cookie. Clients which handle session
cookies properly will send back the cookie then on the second request
and a session will be initialized which can be resued for
authentication.
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/lib/base.php b/lib/base.php index a847373ea2b..a7c36bcd3fe 100644 --- a/lib/base.php +++ b/lib/base.php @@ -73,6 +73,7 @@ use OC\Share20\Hooks; use OCP\EventDispatcher\IEventDispatcher; use OCP\Group\Events\UserRemovedEvent; use OCP\ILogger; +use OCP\IRequest; use OCP\IURLGenerator; use OCP\IUserSession; use OCP\Server; @@ -408,7 +409,16 @@ class OC { } public static function initSession(): void { - if (Server::get(\OCP\IRequest::class)->getServerProtocol() === 'https') { + $request = Server::get(IRequest::class); + $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0; + if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest) { + setcookie('cookie_test', 'test', time() + 3600); + // Do not initialize the session if a request is authenticated directly + // unless there is a session cookie already sent along + return; + } + + if ($request->getServerProtocol() === 'https') { ini_set('session.cookie_secure', 'true'); } @@ -516,7 +526,7 @@ class OC { * also we can't directly interfere with PHP's session mechanism. */ private static function performSameSiteCookieProtection(\OCP\IConfig $config): void { - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); // Some user agents are notorious and don't really properly follow HTTP // specifications. For those, have an automated opt-out. Since the protection @@ -778,7 +788,7 @@ class OC { return; } - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $host = $request->getInsecureServerHost(); /** * if the host passed in headers isn't trusted @@ -840,7 +850,7 @@ class OC { if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) { // reset brute force delay for this IP address and username $uid = $userSession->getUser()->getUID(); - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $throttler = Server::get(\OC\Security\Bruteforce\Throttler::class); $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]); } @@ -970,7 +980,7 @@ class OC { exit(); } - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $requestPath = $request->getRawPathInfo(); if ($requestPath === '/heartbeat') { return; |